Questions From Pre Bid Conference€¦ · Security and Penetration Testing D80B5400025 (SVPT) Questions From Pre Bid Conference Question 1, Page 6 & 7 MR. GONZALEZ: Once we get our

Security and Penetration Testing D80B5400025 (SVPT)

Questions From Pre Bid Conference

Question 1, Page 6 & 7 MR. GONZALEZ: Once we get our questions over to you tomorrow, what's the time line for getting it back to us so

that we can put our response on a final report?

Answer: MR. SPENCE: We're going to get them back as soon as possible.

Question 2, Page 8 MR. GONZALEZ: So is the volume of questions or the amount of time it's going to take to get -- answer those questions, going to impact the final date? The 31st is the date today right now. Is that -- would

that push that back?

Answer: MR. SPENCE: If we feel like we need an extension, then we will extend it.

Revised Answer: Please see the amended TORFP. MIA has extended the closing date until 03/17/2017.

Question 3, Page 8, 9 MR. TRUMP: The question I have is, we deliver a host of services and one of the things I noted that we've seen a lot of other agencies look for is incident response. And I was wondering if it's -- if

it's too late to provide an optional service such as incident response program review, retain

incident response services for instance to supplement the MIA's security program That's one of

the questions I have.

It wasn't requested as one of the items in the technical scope. So we were wondering if -- if it's

possible to add an optional scope to this at this time, If it's not, then understood. But we did want

to ask that question.

Answer: MR. SPENCE:

That's something we're going to research and get back to you on.

Revised Answer: Section 2.15 of the SVPT solicitation titled “SECURITY REQUIREMENTS

AND INCIDENT RESPONSE,” defines the incident response requirements for this

solicitation. MIA does not intend to amend that section.

Question 4, Page 10 MR. MAMMO: You have required us to have three personnel performing this project. But you have not specified

which positions. In the CATS+ contract, there are positions under the contract. And usually when they run down RFPs, they will choose what the category, meaning which positions for that

level categorization for this -- this RFP. So my question is can you tell us what those three positions are or is it open for us?

The job categories are – are fixed. There is a list of job positions under CATS+. So when you are -- are asking us to submit personnel, it has to be from that -- one of those listings.

Answer: MR. SPENCE: I'll have to take a look at what you're talking about. Please submit that in writing and we'll answer your questions.

Revised Answer: Contractor responsibilities including, KEY Personnel requirements are

defined in section 2 of the solicitation. Offerors may propose job descriptions for KEY

Personnel. Those job descriptions do not have to correspond with job descriptions under the

CATS Plus master contract.

Question 5, Page 11 MR. MAMMO: How does that impact -- how soon you can respond back when the project is due? Like if you do

not respond by let's say January 30th and the project is due the next day, that means we didn't

have enough time to send our responses. So can you give us at least one week working -- after

you give the responses?

Answer: MR. SPENCE: We're going to do our best to get the answers to the questions out as quickly as possible. If we feel like we need to put an extension, then we will give you a reasonable amount of time to

respond.

Revised Answer: Please see the amended TORFP. MIA has extended the closing date until 03/17/2017.

Question 6, Page 12 MR. BROWN: The level of -- one of the requirements has a level of detail for a scan. And it wants us to look at

potential compromised systems. Are you expecting a forensic analysis or a very high level scale

of IP addresses and those external locations that are probably coming into your environment that

you weren't aware of?

Answer: MR. COBURN: Not a forensics analysis. MR. BROWN: So not a deep dive? Answer: MR. COBURN: No

Question 7, Page 13, 14 MR. BROWN: There's a certification in there that you're requiring from some of the individuals. MS. ESLIN: The IAM Certification MR. BROWN: Yeah. Is that a hard stop if they do or don't have that certification for individual

firms? MR. TRUMP: Same question, same concern.

Answer: MR. SPENCE:

If we were to change that, it would require like some sort of amendment. So I could say for now,

it's a hard stop. If it's in the solicitation, then that's what we're asking.

Revised Answer: Please see the amended TORFP. The InfoSec Assessment Methodology

(IAM) Certification and the Cisco Master Security Specialized Partner Certification are now

preferred qualifications.

Question 8, page 15 MR. TRUMP: Is all the work to be conducted in one facility or is there multiple MIA facilities in your --

Answer: MR. COBURN: One facility.

Question 9, Page 15, 16 MR. TRUMP: And then to clarify, the three requirements -- the external testing, internal testing, PEN testing --

so there's a few ways we could bucketize [sic] this research. One, for instance, would be full vulnerability scan and so forth without invasive action on the external and internal providing all of the theoretical holes that are there with mitigation recommendations.

And then secondly, using the PEN test for actually -- an -- attack attempts. Otherwise, we could

do an internal/external PEN test with full capability, which would omit the need for another PEN test following. So we're anticipating to provide a response to vulnerability scans and non-

invasive testing for the internal/external with full reporting and then do the attack testing internally using the PEN test binary.

Answer: MR. COBURN: I would submit a question on that.

Question 10, Page 16 MR. BROWN: Is this the first time you've done this level of testing or has it been done in the past by another vendor?

Answer: MR. COBURN: We've had a light testing done by DOIT. They offered a free web assessment vulnerability test. MR. BROWN: But not a scaling test like this? MR. COBURN: No. This is the most intensive test we've had to date.

Question11, Page 17 MR. BROWN:

MR. COBURN: I don't want to guess. I think it's a continued in the future, I believe but I, you know -- submit that question and we'll respond.

Question 12, Page 17 MR. MAMMO: And finally, when do you expect to start this project?

Answer: MR. SPENCE: As soon as possible.

Question 13, Page 17 MR. GONZALEZ: We saw the certifications changed with the last solicitation. You know, what was the emphasis around that? Was that -- again, is that a hard stop or, you know, just questioning regarding that as

far as -- again it's not a certification. It's not,

MR. COBURN: Which certification are you talking about?

MR. MAMMO: The SSCP. MR. GONZALEZ: The SSCP --

MR. MAMMO: That was added after the last revision on January 1st.

Answer: MR. COBURN: Submit a question on that and we will get some clarifications. I believe all the minimum requirements are going to be required for this test.

MR. SPENCE: The minimum requirements aren't going to change.

Revised Answer: Please see the amended TORFP. The InfoSec Assessment Methodology

(IAM) Certification and the Cisco Master Security Specialized Partner Certification are now


Questions From Email

1. Will InfoSec Assessment Methodology (IAM) Certification be required and can exception be granted if this not currently available?

Please see the amended TORFP. The InfoSec Assessment Methodology (IAM)

Certification and the Cisco Master Security Specialized Partner Certification are now


2. What is the budget expectation for this work effort for the base year and then optional years?

The Budget approved for this service is $30,000.00

3. Who is the current provider of these services? No current provider.

http:30,000.00

4. How many document reviews and interviews will be expected for each of the specific requirements in section 2.6 (A, B, C, D, E, and K)?

The State’sDepartment of Information Technology (DoIT) Security Policy and the MIA’s

Security Policy are the only internal document we expect to be reviewed. The number of

interviews would be determined by the vendor.

5. How many scans per year are expected for each of the requirements in section 2.6? We expect that all scanning in the scope of the TORFP as defined in Section 2.8.4 would

be done once during the contract year.

6. Please clarify the scope and details expected for requirement D in section 2.6, is this a detailed forensic review or a simple scan of which devices are communicating with

unknown internet traffic?

Simple scan.

7. Are there any specific threats you are concerned about? No.

8. Is there any specific private information stored or transmit that you are particularly concerned about?

PII and PHI data.

9. Have there been any past information security incidents we should take into consideration while performing our testing?

No.

10. How many users do you have? How many IT Staff? Are they in-house or outsourced?

MIA has approx 300 internal users and 16 in-house IT staff.

11. Are there remote access capabilities for your network (such as a VPN or remote desktop

software like RDP, LogMeIn, GoToMyPC, etc.)?

Yes, VPN and Terminal Services.

12. How many Internet/public facing servers do you have (physical and virtual)? How many public IP addresses?

One physical and three virtual servers and thirty public IP addresses –

167.102.134.128/27.

13. How many physical offices/locations do you have?

One physical office building and one physical remote location.

14. How many internal servers do you have (physical and virtual)?

Approx thirty servers will be in scope for security penetration testing.

15. How many network devices by type (i.e. firewalls, routers, switches, load balancers, etc.)

are in scope? Do you want them assessed only from the perspective of an attacker, or

will you also provide configuration files for review of configuration?

One firewall, one WAF, one router and one DMZ switch are in scope. Assessment should

be from the perspective of an attacker.

16. How many (estimated) internal hosts do you have?

Thirteen VMware ESXi hosts.

17. Are your servers self-hosted or hosted elsewhere?

Self hosted.

18. How many IP addresses are in scope (internal and external)?

10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses and 167.102.134.128/27

are external.

19. Are all of the in-scope systems available from a single network segment?

In separate VLAN’s

20. Is port security or NAC controls present in the environment that would interfere with the

presence of unmanaged systems?

No.

21. Do you self-host your email or use a hosting provider?

MIA uses the State of Maryland’s Google Apps environment for email.

22. Do you self-host your website or use a hosting provider?

The MIA web site is hosted by the State of Maryland’s Department of IT (DoIT).

23. Do you want a vulnerability assessment or full penetration test for the website and web

applications? Will the applications be tested with and without credentials? If so, how

many different user roles/sets of credentials will be tested for each application?

MIA website and web applications are not in scope for security penetration testing.

24. Are any email contact forms or forms present that may generate tickets or emails if

posted to? (Automated web application vulnerability scanners will be used during the

assessment that send a multitude of posts to web forms. As a result of this scanning

thousands of emails, alerts and tickets may be generated).

MIA website and web applications are not in scope for security penetration testing.

25. Will the network be stable during the test, no changes?

Yes.

26. If vulnerability is discovered on a desktop, server or network device, does ePlus have

permission to trigger the vulnerability with an exploit?

Not without advance approval.

27. If a system is compromised, does EPlus have permission to execute post exploitation

commands to recover passwords, search memory and recover document and folders?


28. If a system is compromised, does EPlus have permission to use that system as a pivot

point for further network attacks?

Yes.

29. If access to a privileged account is gained, does EPlus have permission to access the

Domain Controller?


30. If access to a privileged account is gained, does EPlus have permission to access the mail

servers?

Yes.

31. If access to a privileged account is gained, does EPlus have permission to access the

database servers?


32. If Domain Controller access is gained, does EPlus have permission to create accounts?


33. If Domain Controller access is gained, does EPlus have permission to recover the password hashes?


34. Do you wish to include Arp poisoning attacks in the penetration test?

No.

35. What types of social engineering testing do you require? (i.e. email phishing, phone

phishing, onsite breach of physical security, etc.) If phishing is required, how many users

will be targeted for each type of phishing, and how many separate attempts should be

made for each user? Can phishing be performed in conjunction with our other testing (in

which case, information obtained will be used in other testing areas), or must it be a

separate and distinct test? If breaches of physical security are to be attempted, what are

the locations to be tested?

Which physical locations are in scope for the Wireless Assessment? How many SSIDs and APs at each location will be in scope?

Are there any time limits for how long the exercises are to be conducted? Are there any additional notes, concerns, or parameters that need to be considered

that you would like to highlight?

Social engineering and wireless testing are not in scope.

36. General Information

a. What is the primary driver for having a penetration test performed? See section 2.2.2. of the TORFP.

b. If the penetration test driver is for regulatory compliance, which specific requirement(s) applies?

The driver is not for regulatory compliance.

c. Have you had penetration tests performed in the past? If so, when was the most recent one performed?

Yes, DoIT conducted penetration tests on the MIA’s web applications in 2015.

d. Is the plan to have penetration test performed on a recurring basis or as needed? If recurring, how often?

As needed.

e. What are your currently installed security tools / suites? IBM Q-Radar.

f. Have you conducted a Cyber Security Data Management Analytics? Do you want us to look into that?

No to both questions.

37. Application or Infrastructure

g. Is testing to be completed at an application level or infrastructure level or both?

Both.

h. When does testing need to start and/or be completed by?

We have no pre-determined schedule.

i. Do you have any specific / custom reporting requirements? No.

j. Is there to be an allowance made for re-testing for the system after remediation? No any re-testing would be contracted via a supplemental Work Order.

38. External Penetration Testing

k. Is the penetration test going to include network layer testing? If so, how many IP addresses will be included in the scope of testing?

Yes. 10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses and

167.102.134.128/27 are external.

l. Do you want us to have any of the identified vulnerabilities exploited? No.

m. Is the penetration test going to include application layer testing? If so, how many websites and / or web applications will be included in the scope of testing?

No and none.

n. Are the targets in the scope of testing live and in production? Yes.

o. If websites are included in the scope and portions of the website require credentials to access, how will that be handled?

Not applicable.

p. If there are IPS solutions or web application firewalls in place that can prevent or block penetration test activities, how will they be handled?

Configured as normal.

39. Scale – Ranges – Hosts – Location q. What range of IP address will be provided?

10.120.240.0/24 and 172.30.0.0/21 are internal IP addresses and 167.102.134.128/27

are external.

r. How many hosts or devices are to be tested? Approximately 30 servers, one firewall, one WAF, one router and one DMZ switch are in

scope.

s. Is testing to be external or internal? Both.

t. Is testing to be conducted during business hours or non-business hours? During non-business hours.

u. What are the affected wireless infrastructure physical addresses? Not applicable.

40. Internal Penetration Testing Targets

v. What is the total number of targets that will be included in the scope of testing? Approximately 50.

w. If servers are included in the scope of testing, what is the approximate number to be tested?

Approximately 30.

x. If workstations are included in the scope of testing, what is the approximate number to be tested?

Approximately 10.

y. If network devices are included in the scope of testing, what is the approximate number to be tested?

One firewall, one WAF, one router and one DMZ switch are in scope.

z. If peripherals are included in the scope of testing, what is the approximate number to be tested?

Not applicable.

aa. The conventional approach for conducting internal penetration testing is to allow

the tester on the premise; connect to the corporate network and obtain a valid IP

address; be placed on a network with the targets or is routable to the networks

with the targets; any security systems in place treat the tester’s machine as any normal user’s machine. If your expectation of the approach differs from the above, please explain.

The MIA’s expectation is consistent with this approach.

41. Application / Systems Testing

bb. What applications / systems are subject to testing? Please provide URLs if possible. Please provide a test login to enable us to walk through the application.

None.

cc. What are the major functions of the target applications / systems?

Not applicable.

dd. Is testing to be completed with or without valid user credentials?

Not applicable.

ee. Are the applications in-house developed or based on commercial products? If in-

house, what language was used in the development?

Not applicable.

ff. Will the system be in production at the time of testing? Not applicable.

gg. How many pages are in the application?

Not applicable.

hh. How many input fields (approx.) does the application have?

Not applicable.

42. Databases and Data Analytics

ii. How many databases are running in production? What kind? And what’s the approximate size of each database?

Not applicable.

jj. Do you currently have any cloud implementation? If yes, what are the scope and protocols of your cloud infrastructure?

Cloud infrastructure is not in scope for security penetration testing.

kk. Have you conducted a Cyber Security Data Management Analytics? Do you want

us to look into that?

No to both questions.

ll. Has there been any form or cyber-attack or systems / data compromise at MIA? Not that we are aware of.

mm. Any incidents you would like to share with us?

No.

43. MIA Business Unit Locations and Wireless Infrastructures

nn. What are the physical addresses for all MIA’s business units and wireless infrastructures?

Physical address is for the MIA business units is 200 St. Paul Place Baltimore,

Maryland 21202 and wireless infrastructure is not in scope for security penetration

testing.

44. User Training and Manuals

oo. Do you expect us to engage in user training functions?

No.

pp. Do you expect us to prepare User Cyber Security Best Practices Manuals?

No.

45. Proposed Personnel and Task Order Staffing

qq. We are required to propose three Key Personnel as per the TORFP. What are the specific CATS+ Master Contract Project Number Labor Categories for these

positions? Out pricing will be determined on these labor categories.

Contractor responsibilities including, KEY Personnel requirements are defined in section

2 of the solicitation. Offerors may propose job descriptions for KEY Personnel. Those job

descriptions do not have to correspond with job descriptions under the CATS Plus master

contract.

46. TORFP Minimum Qualifications

rr. We have found that the InfoSec Assessment Methodology (IAM) Certification is an outdated certification. Could you please consider removing this requirement?

ss. Would you please change the requirement for a Cisco Master Security Specialized Partner Certification to a Current Industry Recognized Cyber Security solutions

and services certification?




47. New TORFP Released on 1/4/2017

tt. There are several changes on the new TORFP released on 1/4/2017. Namely the following sections have been removed from 2.6 Requirements:

i. Regulatory Requirement Assessment

ii. Business Continuity Assessment

iii. Social Engineering Assessment

iv. Web Applications and Website Security Test

v. Wireless Infrastructure Test

What are the purposes and scopes of these changes? What are the performance

and deliverable impacts of these changes in this project?

The purpose of these changes is to reduce the scope of work. Section 2.8.4 of the TORFP

has been updated to reflect a reduced number of deliverable to correspond with these

changes.

48. Can we provide supplemental information on professional services that compliment or

enhance what’s listed in the TORFP?

Yes

49. On page 21 of the TORFP, under 2.9.1 you have listed Cisco Master Security Specialized

Partner Certification as a minimum requirement. While this Cisco certification is Cisco’s partnership and marketing measure, our team possess highly regarded and industry

leaders’ certifications. Would MIA be willing to change these two minimum requirements: InfoSec Assessment Methodology (IAM) Certification and the Cisco

Master Security Specialized Partner Certification to Industry Leaders Recognized,

Current and Most Relevant Certifications?




50. Would MIA allow proposal of the listed optional services to include our Incident Response Plan Development and Table Top Exercise Services?

We do not need these services. However you are free to add them to your proposal.

51. Is it appropriate to propose vulnerability scans and less invasive techniques to meet the

intention of the MIA Internal and External Testing requirements; while with MIS’s

agreement during the rules of engagement perform more aggressive testing to identify

and attack significant cyber targets to meet the Penetration Testing requirement?

To be considered “responsive” a bid must conform in all material respects to the specifications outlined in the RFP.

52. How many days are you going to allow for the submission of our proposals after you

respond to our questions? At least a week would be great.

Please see the amended TORFP. MIA has extended the closing date until 03/17/2017.

Pre-Bid Conference 1/17/2017 Pre-Bid Conference for Security and Penetration Testing

Page 1 STATE OF MARYLAND

MARYLAND INSURANCE ADMINISTRATION

Office of Procurement

200 St. Paul Place, Suite 2700

Baltimore, Maryland 21202

IN RE:

PREBID CONFERENCE FOR SECURITY PENETRATION TESTING

Reported by: Erica Jones, Court Reporter

EVANS REPORTING SERVICE

The Munsey Building, Suite 705

Seven North Calvert Street Baltimore, Maryland 21202410.727.7100 800.256.8410

Coast to coast coverage Evans Reporting Service Over 25 years Unsurpassed excellence 800-256-8410 award-winning service


Page 2 1 PRE-BID CONFERENCE

2 A Pre-bid Conference in the

3 above-captioned matter held before the State of

4 Maryland Insurance Administration, on Tuesday,

5 January 17, 2017, commencing at 2:03 p.m., and

6 reported by Erica Jones, Court Reporter and Notary Public.

7

8 APPEARANCES:

9

10 MIA STAFF MEMBERS:

11 Rodney Spence, MIA Procurement Officer

12 Katrina Lawhorn, MIA Procurement Officer

13 Mark Coburn

14

15 OTHERS PRESENT:

16 Antonio Frulio, IVA CommunicationsSolomon Mammo, IVA Communications

17 Murphy Payne, IVA CommunicationsMike Gonzalez, BAE Systems

18 Mark Trump, BAE SystemsJennifer Eslin, ePlus

19 Ron Brown, ePlus

20

21



Page 3 1 CONFERENCE PROCEEDINGS:

2 MR. SPENCE: My name is Rodney Spence.

3 Good afternoon and thank you for coming here. I'm

4 the procurement officer and this is the Pre-bid

5 Conference for Security and Penetration Testing.

6 The solicitation number is D80B5400025. There's no

7 new media involved for this solicitation. There is

8 no VSB involved in this solicitation either. This

9 solicitation is being done by competitive sealed

10 proposal. The State uses a two-part evaluation

11 process as far as there's a technical evaluation.

12 And then there's a financial evaluation.

13 If your technical proposal does not meet

14 our minimum qualifications or requirements, then we

15 will send your financial proposal back to you

16 unopened. If we have questions about your

17 technical, then we will need to resolve those

18 questions before we move on to your financial.

19 At this point, I'm going to let the rest

20 of the people on the panel introduce themselves and

21 state their positions. And we will get into some



Page 4 1 question and answer. When we do the question and

2 answer, I would ask that we go from right to left,

3 front to back, state your name, state the company

4 that you work for. If you don't have a question,

5 just for the record, we would still ask that you

6 state your name and company that you work for.

7 MS. LAWHORN: I'm Katrina Lawhorn, a

8 procurement officer also.

9 MR. COBURN: I'm Mark Coburn and I'm team

10 infrastructure supervisor.

11 MR. SPENCE: So at this point, Mark is

12 going to tell us about the project background in the

13 scope report.

14 MR. COBURN: Yes. The MIA computing

15 infrastructure is a redundant, highly available,

16 secure system with firewalls, web application

17 firewalls, reverse proxies, intrusion prevention

18 system, intrusion detecting systems, web security

19 appliances, anti-virus software. And the State has

20 conducted web application penetration tests on some

21 of the agency's web application.



Page 5 1 But MIA is undertaking this project to

2 conduct a more thorough assessment of cyber security

3 vulnerabilities. And we're seeking a consultant to

4 make recommendations on how to mitigate these risks.

5 Some of the highlights of the project is one, we'd

6 like the vendor to assess MIA security policies and

7 procedures and infrastructure against industry

8 standard best practices and document some of the

9 deficiencies.

10 Some of the other brief descriptions

11 revolve around the external system tests. We'd like

12 them to examine the external accessible equipment

13 for vulnerabilities from inside and outside the

14 internet. Also, some other activities revolve

15 around internal system and network testing, conduct

16 vulnerability scanning and validation against

17 internal IP address ranges and configuration review

18 of all internal systems.

19 The penetration test, we'd like some

20 activities designed to emulate an actual attack and

21 attempt to access and obtain organizational data.



Page 6 1 And also, we're looking to get a risk report that

2 can basically, you know, give an assessment of the

3 test and discuss deficiencies and make

4 recommendations to mitigate deficiences. That's

5 kind of it in the things that we do.

6 MR. SPENCE: Okay. So we're going to open

7 this up for question and answer at this point. I

8 just want to make sure you guys understand the

9 questions, for any questions that we receive are due

10 tomorrow by the close of business at 5 o'clock.

11 So this gentlemen is on my right.

12 MR. GONZALEZ: Sure. Should I stand up

13 or --

14 MR. SPENCE: If you want to stand up,

15 that's fine.

16 MR. GONZALEZ: No. I'll just sit.

17 My name is Mike Gonzalez and I'm with BAE

18 Systems. We're partnered, we're teamed up with IVA

19 Communications and master contractor. One of our --

20 one of our focuses of our questions is around --

21 well, I guess first the time line about once we get



Page 7 1 our response. Once we get our questions over to you

2 tomorrow, what's the time line for getting it back

3 to us so that we can put our response on a final

4 report?

5 MR. SPENCE: Okay. So the answer to that

6 question is we're going to get them back as soon as

7 possible. The time it takes us to answer all the

8 questions is depending on how involved the questions

9 are and how many we receive.

10 Hopefully, we can get them out to you by

11 the end of the week.

12 MR. GONZALEZ: Okay.

13 MR. SPENCE: But I can't guarantee we will

14 get them to you until we know what we're working

15 with.

16 MR. GONZALEZ: Sure. I guess, can I

17 follow that up?

18 MR. SPENCE: (No verbal response.)

19 MR. GONZALEZ: Can I follow that question

20 up?

21 MR. SPENCE: Yes, sure. Go ahead.



Page 8 1 MR. GONZALEZ: So is the volume of

2 questions or the amount of time it's going to take

3 to get -- answer those questions, going to impact

4 the final date? The 31st is the date today right

5 now. Is that -- would that push that back?

6 MR. SPENCE: If we feel like we need an

7 extension, then we will extend it.

8 MR. GONZALEZ: Okay.

9 MR. TRUMP: I'm Mark Trump. I'm with BAE

10 Systems and we're teaming with -- with IVA

11 Communications. The question I have is we deliver a

12 host of services and one of the things I noted that

13 we've seen a lot of other agencies look for is

14 incident response.

15 And I was wondering if it's -- if it's too

16 late to provide an optional service such as incident

17 response program review, retain incident response

18 services for instance to supplement the MIA's

19 security program. That's one of the questions I

20 have.

21 MR. SPENCE: That sounds like a technical



Page 9 1 question.

2 MR. COBURN: Well, I think it's more of a

3 procedural. I mean it's like a -- like a

4 policy-type question where you're talking about an

5 incident response --

6 MR. TRUMP: Sure.

7 MR. COBURN: -- like what the process is

8 in case there is a --

9 MR. TRUMP: Right.

10 MR. COBURN: -- you know, a breach.

11 MR. SPENCE: More like a service level

12 agreement?

13 MR. TRUMP: Well, absolutely. It wasn't

14 requested as one of the items in the technical

15 scope. So we were wondering if -- if it's possible

16 to add an optional scope to this at this time. If

17 it's not, then understood. But we did want to ask

18 that question.

19 MR. SPENCE: That's something we're going

20 to research and get back to you. If you want to,

21 submit that question in writing.



Page 10 1 MR. TRUMP: Okay.

2 MR. MAMMO: My name is Solomon Mammo. I'm

3 from IVA Communications and I'm here with my

4 partner. The question I have for you is the specs

5 list. You have required us to have three personnel

6 performing this project. But you have not specified

7 which positions. In the CATS+ contract, there are

8 positions under the contract. And usually when they

9 run down RFPs, they will choose what the category,

10 meaning which positions for that level

11 categorization for this -- this RFP.

12 So my question is can you tell us what

13 those three positions are or is it open for us?

14 MR. SPENCE: You're asking about the CATS+

15 job descriptions, right?

16 MR. MAMMO: Well, the job's categories.

17 On the RFP --

18 MR. GONZALEZ: Categories.

19 MR. MAMMO: The job categories are -- are

20 fixed. There is a list of job positions under

21 CATS+. So when you are -- are asking us to submit



Page 11 1 personnel, it has to be from that -- one of those

2 listings.

3 MR. SPENCE: Okay. All right. What I'll

4 tell you is that I'll have to take a look at what

5 you're talking about.

6 MR. MAMMO: Okay.

7 MR. SPENCE: Please submit that in writing

8 and we'll answer your questions.

9 MR. MAMMO: Just to follow up on Michael's

10 question. So I will have the list of entire

11 question by tomorrow for you.

12 MR. SPENCE: Okay.

13 MR. MAMMO: Right. How does that

14 impact -- how soon you can respond back when the

15 project is due? Like if you do not respond by let's

16 say January 30th and the project is due the next

17 day, that means we didn't have enough time to send

18 our responses.

19 So can you give us at least one week

20 working -- after you give the responses?

21 MR. SPENCE: Okay. So I'm just going to



Page 12 1 repeat what I told him. We're going to do our best

2 to get the answers to the questions out as quickly

3 as possible. If we feel like we need to put an

4 extension, then we will give you a reasonable amount

5 of time to respond. That's something we're going to

6 look at, okay?

7 MR. FRULIO: Antonio Frulio. I'm with IVA

8 Communications and I don't have any questions.

9 MR. SPENCE: Okay.

10 MR. PAYNE: My name is Murphy Payne. I'm

11 also with IVA and I don't have questions either.

12 MR. BROWN: I'm Ron Brown from ePlus. I

13 have a question. The level of -- one of the

14 requirements has a level of detail for a scan. And

15 it wants us to look at potential compromised

16 systems.

17 Are you expecting a forensic analysis or a

18 very high level scale of IP addresses and those

19 external locations that are probably coming into

20 your environment that you weren't aware of?

21 MR. COBURN: Not a forensics analysis.



Page 13 1 MR. BROWN: So not a deep dive?

2 MR. COBURN: No.

3 MR. BROWN: Okay.

4 MS. ESLIN: I'm Jennifer Eslin. I'm also

5 with ePlus. We do have other questions and I think

6 we'll probably submit them in writing because I

7 think a lot of them are questions that you're

8 probably going to need to, you know, research and

9 get back to us and you'll want to be a part of the

10 official record.

11 So I think we will have a nice healthy

12 list for you that you'll get by tomorrow to start

13 answering.

14 MR. SPENCE: Thank you. I appreciate it.

15 MR. BROWN: Can I ask one more question?

16 MR. SPENCE: Sure. Go ahead.

17 MR. BROWN: There's a certification in

18 there that you're requiring from some of the

19 individuals.

20 MS. ESLIN: Here (indicating).

21 MR. BROWN: Yeah, if I can look for a sec



Page 14 1 (perusing).

2 MS. ESLIN: The IAM Certification?

3 MR. BROWN: Yeah. Is that a hard stop if

4 they do or don't have that certification for

5 individual firms?

6 MR. SPENCE: If we were to change that, it

7 would require like some sort of amendment. So I

8 could say for now, it's a hard stop. If it's in the

9 solicitation, then that's what we're asking.

10 MR. BROWN: Okay. You don't see a whole

11 lot of those out there.

12 MR. SPENCE: I can't hear what you're

13 saying.

14 MR. BROWN: You don't see a lot of those

15 out there very often.

16 MR. SPENCE: Okay.

17 MR. TRUMP: Same question, same concern.

18 MR. SPENCE: Well, you can submit your

19 questions. You know, when we put together our

20 answers, if something changes as a result of your

21 questions -- that's what the back and forth is



Page 15 1 for -- we will let you know.

2 MS. ESLIN: Okay.

3 Does anybody else have any other

4 questions?

5 MR. TRUMP: Follow-up. Is all the work to

6 be conducted in one facility or is there multiple

7 MIA facilities in your --

8 MR. COBURN: One facility.

9 MR. TRUMP: And then to clarify, the three

10 requirements -- the external testing, internal

11 testing, PEN testing -- so there's a few ways we

12 could bucketize [sic] this research.

13 One, for instance, would be full

14 vulnerability scan and so forth without invasive

15 action on the external and internal providing all of

16 the theoretical holes that are there with mitigation

17 recommendations. And then secondly, using the PEN

18 test for actually -- an -- attack attempts.

19 Otherwise, we could do an internal/external PEN test

20 with full capability, which would omit the need for

21 another PEN test following.



Page 16 1 So we're anticipating to provide a

2 response to vulnerability scans and non-invasive

3 testing for the internal/external with full

4 reporting and then do the attack testing internally

5 using the PEN test binary.

6 MR. COBURN: I would submit a question on

7 that.

8 MR. TRUMP: Okay.

9 MR. COBURN: That way, it's clear for

10 everybody.

11 MR. TRUMP: Understood, understood. That

12 way, we can respond back and phase over --

13 MR. SPENCE: All right. Let's -- okay.

14 MR. BROWN: Is this the first time you've

15 done this level of testing or has it been done in

16 the past by another vendor?

17 MR. COBURN: We've had a light testing

18 done by DOIT. They offered a free web assessment

19 vulnerability test.

20 MR. BROWN: But not a scaling test like

21 this?



Page 17 1 MR. COBURN: No. This is the most

2 intensive test we've had to date.

3 MR. BROWN: Again, is it a one-time with

4 an option to continue in the future or is it --

5 MR. SPENCE: I will let --

6 MR. COBURN: I don't want to guess. I

7 think it's a continued in the future, I believe but

8 I, you know -- submit that question and we'll

9 respond.

10 MR. SPENCE: We will get back to you.

11 MR. MAMMO: And finally, when do you

12 expect to start this project?

13 MR. SPENCE: As soon as possible, as soon

14 as we award it, as soon as possible.

15 MR. GONZALEZ: I'm sorry. Mike Gonzalez.

16 Basically -- and another question.

17 We saw the certifications changed with the

18 last solicitation. You know, what was the emphasis

19 around that? Was that -- again, is that a hard stop

20 or, you know, just questioning regarding that as far

21 as -- again it's not a certification. It's not,



Page 18 1 it's --

2 MR. COBURN: Which certification are you

3 talking about?

4 MR. MAMMO: The SSCP.

5 MR. GONZALEZ: The SSCP --

6 MR. MAMMO: That was added after the last

7 revision on January 1st.

8 MR. COBURN: Well, submit a question on

9 that and we'll review it and determine if that is

10 a -- because I think there was something with the

11 minimal requirements. And I can't remember what the

12 original was.

13 Submit a question on that and we will get

14 some clarifications. I believe all the minimal

15 requirements are going to be required for this test.

16 It could mean like what we need or I need as far as

17 --

18 MR. SPENCE: Yeah. The minimal

19 requirements aren't going to change unless we move

20 for it.

21 MR. GONZALEZ: Understood.



Page 19 1 MR. SPENCE: So if you guys submit your

2 questions, if we need clarity to one of those rules,

3 we will make that announcement to everyone we know.

4 For now, the requirements -- the minimal

5 requirements that are in the solicitation are what

6 you need to be able to respond to.

7 All right. We're going to go ahead and

8 close this down. I thank everyone for coming today.

9 Again, your questions are due tomorrow by 5 o'clock

10 p.m. local time. If you have any questions about

11 this whole meeting, just give me a call, send me an

12 e-mail. Everyone's going to get a copy of the

13 transcripts of this by e-mail. And that's it.

14 Everyone have a good day.

15 (The conference concluded at 2:19 p.m.)

16

17

18

19

20

21


1 REPORTER'S CERTIFICATE

2 STATE OF MARYLAND

3 CITY OF BALTIMORE

4 I, Erica Jones, a Notary Public of the State of

5 Maryland, Baltimore City, do hereby certify that the

6 above-captioned proceeding took place before me at the

7 time and place herein set out.

8 I further certify that the proceeding was

9 recorded stenographically by me and this transcript is a

10 true record of the proceedings.

11 I further certify that I am not of counsel to

12 any of the parties, nor an employee of counsel, nor

13 related to any of the parties, nor in any way interested

14 in the outcome of the action.

15 As witness my hand and seal this 18th day of

16 January, 2017.

17

18

19

20 Erica Jones

21 My Commission Expires 02/22/2020

_______________________________



q&A D80B5400025 (SVPT)pbc011717conference20 Full (3)

Questions From Pre Bid Conference€¦ · Security and Penetration Testing D80B5400025 (SVPT) Questions From Pre Bid Conference Question 1, Page 6 & 7 MR. GONZALEZ: Once we get our

Documents